How can I un-taint my DKIM config after exim upgrade?

Debian upgrade to exim4 4.94 brings new headache: tainted variables. I have several virtual domains handled by my exim and hence I use variable expansion to obtain DKIM domain, selector and key. In my 000_localmacros is: DKIM_CANON = relaxed # Get the domain from the outgoing mail. DKIM_DOMAIN = ${sg{${lc:${domain_data:$h_from:}}}{^www\.}{}} DKIM_SELECTOR = ${lookup{DKIM_DOMAIN}lsearch{/etc/exim4/dkim/selector.map}} # The file is based on the outgoing domain-name in the from-header. DKIM_FILE = /etc/exim4/dkim/DKIM_DOMAIN/DKIM_SELECTOR/private.key # If key exists then use it, if not don't. DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}} (these variables are then used in Debian's default files transport/30_exim4-config_remote_smtp). Sadly this generates: 2021-09-10 07:13:27.625 1mOYqk-0007WN-8p Warning: Tainted filename '/etc/exim4/dkim/example.com/n201711/private.key' Note that I did replace $domain already with $domain_data as suggested by the documentation but it does not help. How can I fix this so I can remove my allow_insecure_tainted_data = yes statement?